UK gov finally decides on Huawei 5G equipment ban

[Corky34]

The UK government has a lot of powers but there tends to be checks and balances as well as media outrage for abuse (tends).

Now, I'll sit back and wait for someone to tell me how wrong I am. My spelling is quite bad also.

I'm not going to tell you you're wrong on the rest of what you've said but (iirc) the investigatory powers act makes it a criminal offence to report, or even talk about, what you believe to be 'equipment interference' from the security services, there's also the super secret IPC, in general the checks and balances are pretty weak and there can't really be media outrage because it's all done in secret, plus you'd be lucky to find anyone in the mainstream media (i hate that term) who has more than the most basic understanding of computers and/or IT systems.

[philehidiot]

I'm not going to tell you you're wrong on the rest of what you've said but (iirc) the investigatory powers act makes it a criminal offence to report, or even talk about, what you believe to be 'equipment interference' from the security services, there's also the super secret IPC, in general the checks and balances are pretty weak and there can't really be media outrage because it's all done in secret, plus you'd be lucky to find anyone in the mainstream media (i hate that term) who has more than the most basic understanding of computers and/or IT systems.

The RIPA / IPA stuff was an utter disgrace. I can understand why you don't want people commenting on finding listening devices and so on as it would tip off investigators but the whole act is a farce.

The list of people who can view your internet history without any kind of judicial oversight is insane. DEFRA can view your internet history and ISPs are mandated to record it.

Then you have, atop this, that councils were using the RIPA to put cameras on people's bins to check they were recycling right. On their property. They were swiftly told to knock that off after it appeared in Private Eye.

I happen to know the government has bugger all on me, which is a relief, but the fear of saying the wrong thing and having the cops at the door is only enhanced by this madness of over the top surveillance on the populus. In the USA they are supposed to go to a secret court with an impartial judge for this stuff (FISA court?) and apparently that's just a rubber stamping, back scratching, money raking farce where nothing gets declined.

As I tried to make clear, the UK government does have over the top powers to spy on people. It's historical that our government gets its hands dirty in any new technology that comes along and passes through its hands. BUT I generally believe from what I've seen that it is used as intended.

I want to get this new contact tracing app on my phone and get sniffing some packets to see where they go. My real concern about surveillance isn't from the government, it's from the private companies who we agree to give all our data to by social pressure or even just wanting to own a smartphone. If you want to get a taste of the capabilties that gives you as a OSI investigator, have a look at the capabilities of Maltego. The private companies have very little checks and balances so, if you think the government's knowledge of your life is scary, remember that's targetted and they should have a reason to target you.

Honestly, have a look at Maltego. You can play with it by downloading the community edition (honestly thought I found that too limiting but it gives you a taste of what can be done with just open source intelligence from the data we voluntarily share).

[philehidiot]

Strewth, the wife and I just bought a couple of phones (BT) Huawei software onboard... But I don't think we need too worry at the moment... If push-comes-to-shove we'll just get others'..

I don't think it matters so much at the individual level. It's at the strategic level you need to be considering if there's a problem.

I'd never advise anyone to get a Huawei device these days but that's more due to the Yanks putting them on the no-no list and causing that person problems with their device rather than spying. Anyone who buys a smartphone is consenting to surveillance.

[CAT-THE-FIFTH]

Anyone who buys a smartphone is consenting to surveillance.

Which is true of all smartphones and smartphones OSes and apps. Also in the end with the amount of information some of these large tech firms have on you,it would be probably easier for foreign governments to use those companies to mine data via shell companies. These companies are beholden to their shareholders or their owner's whims. Companies such as Cambridge Analytica had links to large data mining companies such as Palantir Technologies,who also who has access to our NHS data and even intelligence data from our government. People might have though the concept of mega-corporations such as OCP or Weylan-Yutani in science fiction was a trope,but it is a real thing now,since they have their fingers in so many pies.

Such companies also have similar access in other countries - has no one asked who watches the watchers with these companies?? They work across national boundaries. What if they get infiltrated by other governments or basically sell their data to the highest bidder??

Yet our governments worry about Huawei,etc but ALSO don't worry about physically giving access to some of our most important data to these multi-national private companies. Very few of which highlight that our private data has been massively compromised for years,and is probably up for sale to the highest bidder already. Plus what about the security implications of how this data is stored and where??

Yet the rate at which our governments are using these private companies to handle our most private data is actually increasing. I am actually more concerned at this,because we are just handing stuff over to these companies,ie,no hacking or infiltration needed! Plus the other issue,is how is the data going to be used - how long before some politicians decide they can use it to shape public opinion to stay in power longer,or a big company can use it to help themselves?

[philehidiot]

Yet the rate at which our governments are using these private companies to handle our most private data is actually increasing. I am actually more concerned at this,because we are just handing stuff over to these companies,ie,no hacking or infiltration needed! Plus the other issue,is how is the data going to be used - how long before some politicians decide they can use it to shape public opinion to stay in power longer,or a big company can use it to help themselves?

The UK government's "nudge unit" is doing exactly that and has been for some time.

If you want just a taste of the power of these companies when combined, have a gander at Maltego. It's used as the core of social engineering and beings together all open source intel (social media, etc) into one simple graph in order to plot how you're going to deliver a payload to a target. There are a few videos on Youtube on Maltego.

[spacein_vader]

Which is true of all smartphones and smartphones OSes and apps. Also in the end with the amount of information some of these large tech firms have on you,it would be probably easier for foreign governments to use those companies to mine data via shell companies. These companies are beholden to their shareholders or their owner's whims. Companies such as Cambridge Analytica had links to large data mining companies such as Palantir Technologies,who also who has access to our NHS data and even intelligence data from our government. People might have though the concept of mega-corporations such as OCP or Weylan-Yutani in science fiction was a trope,but it is a real thing now,since they have their fingers in so many pies.

Such companies also have similar access in other countries - has no one asked who watches the watchers with these companies?? They work across national boundaries. What if they get infiltrated by other governments or basically sell their data to the highest bidder??

Yet our governments worry about Huawei,etc but ALSO don't worry about physically giving access to some of our most important data to these multi-national private companies. Very few of which highlight that our private data has been massively compromised for years,and is probably up for sale to the highest bidder already. Plus what about the security implications of how this data is stored and where??

Yet the rate at which our governments are using these private companies to handle our most private data is actually increasing. I am actually more concerned at this,because we are just handing stuff over to these companies,ie,no hacking or infiltration needed! Plus the other issue,is how is the data going to be used - how long before some politicians decide they can use it to shape public opinion to stay in power longer,or a big company can use it to help themselves?

For clarity companies don't have access to your NHS data (unless you've agreed to join a clinical trial, in which case you've consented,) at all.

They have access to aggregate data, so they know 325 people in Town A suffer ailment B and are on medication C. But not who those people are, their NHS/hospital number, full address, DOB etc.

[CAT-THE-FIFTH]

The UK government's "nudge unit" is doing exactly that and has been for some time.

If you want just a taste of the power of these companies when combined, have a gander at Maltego. It's used as the core of social engineering and beings together all open source intel (social media, etc) into one simple graph in order to plot how you're going to deliver a payload to a target. There are a few videos on Youtube on Maltego.

I am aware of it,but Palantir Technologies is another one to look at,as they have their finger in both medical data,intelligence data and military stuff worldwide. They are even involved in vehicle tracking,etc:
https://theoutline.com/post/3978/pet...=1&zi=ln7tnte3

Look who provided venture funding for it....totally not CIA related and the CEO was one of the founders of Paypal. Now have you heard of DARPA LifeLog:
https://en.wikipedia.org/wiki/DARPA_LifeLog
https://www.vice.com/en_us/article/v...it-ended-badly

Hmm......Facebook anyone?

Then when you consider Apple,Google and Amazon have all these smart devices,monitoring you in real time,it only needs some clever sparks to be able to aggregate all of it together.

Even something as simple as loyalty cards are a form of data mining - companies can actually look at changes in purchasing habits and link it with changes in your lifestyle.

This ONN skit does make me chuckle though:
https://www.youtube.com/watch?v=cqggW08BWO0

For clarity companies don't have access to your NHS data (unless you've agreed to join a clinical trial, in which case you've consented,) at all.

They have access to aggregate data, so they know 325 people in Town A suffer ailment B and are on medication C. But not who those people are, their NHS/hospital number, full address, DOB etc.

The problem is we don't know the full extent of what they have actual access too though,because only governments could tell us that.

Which is all OK if you look at in isolation. The problem is these companies have access to tons of different data sets,and have spent lots of money on powerful data analytics,etc. So trying to anonymous stuff might not actually work,since they can link different data sets together. Its not even being able to identify individuals,but more group analytics.

This is why allowing singular companies to have access to so many data points is dangerous,and as time progresses more and more stuff is being palmed off to them.

[Saracen999]

For clarity companies don't have access to your NHS data (unless you've agreed to join a clinical trial, in which case you've consented,) at all.

They have access to aggregate data, so they know 325 people in Town A suffer ailment B and are on medication C. But not who those people are, their NHS/hospital number, full address, DOB etc.

Unless memory fails me, some companies have access to anonymised data, for research purposes, unless the patient explicitly opted out, at which point the local GP/hospital should have added the "Read exclude" codes to the files that prevent the automatic "scraping" of data to the Spine. That was certainly how it was explained to me when I queried it with our practice manager, and unless a patient opted out before uploading, it was too late once uploaded. This was, oh, five to ten years ago.

Thing is, how difficult would it be to de-anonymise such data if they wanted to? Which is why I opted out. Once uploaded, and most definitely once passed to "research" companies, it was far too late to ask questions.

Unless I was told wrong?

[Saracen999]

This is my main problem - "human rights" is increasingly used as a geopolitical weapon especially against small non-superpower nations. So in this modern information age,when we excuse make for horrible regimes,then shout at so many countries(who are even democractic and have better records),using "human rights" it's becoming a joke worldwide. The problem is increasingly the rest of the world,is seeing it for this,and you can see how various countries(dozens) are on purpose voting against our own resolutions. Africa and Asia(outside China) is basically criticising the use of the human rights law courts,since they feel they are being disportionately targetted whilst ALL of the superpowers get away scots free. Then those same international courts try to investigate ANY superpower they get threatened.

Instead of just being honest about our intentions,we just wrap it up in buzz words. The problem is when there are real human rights abuses to be investigated,so many countries just don't bother as it's like crying wolf all the time. So China and Russia basically use it as cover.

We made judgements of countries with their own problems in Africa,Asia and South Amercia,to the extent we allow groups,who even used suicide bombs to actively fund raise in our countries,and then castigated the governments at the same time. The issue is then China,and Russia step into the void,or these very rebel groups,exchange cliff notes with other groups which are against us,then it leads to problems for our own countries.

Plus so many of "interventions" were against "perceived threats" which in hindsight we realised were not real.An example is Iran,did we really need to kick out a democratically elected PM,who only really wanted more of their oil wealth to be for his own people? They not only ended up with the Shah of Iran,but the current Ayatollahs for 67 years. Now China has stepped into the void and is signing agreements with them. So who created that problem then?? Saudi Arabia due to its financial clout is actually going to smaller and poorer countries,and using their finances to spread ultra conservative religious thinking.

Look in South America,with all the pushing out of democractic governments in favour of dictatorships such as Pinochet? Was that really needed either? All because they "might" go a bit left,but looking at Chile's own history after he stepped down,they swung between both sides,so all of it was not required in the end. Basically in many of these cases the general public couldn't be "trusted" with democracy apparently. How is that strengthening democracy and a free world?

There's a reason the old adage says the road to hell is paved with Good intentions, the Shah (and consequences) being a good example. Iraq being another.

History is littered with examples that 20:20 hindsight makes clear went badly wrong. Suez? Partition of India? And the British "Empire's" fingerprints, if not hob-nailed boots, are all over an uncomfortable number of them.

My only issue is that if action has consequences, so does inaction and either way, it requires a decision. If the US and, to a lesser extent, the UK hadn't made geopolitical moves in the middle East, that certainly doesn't prove the USSR wouldn't have, and if a Stalinesque regime had it's boots on the throat of much of the world's oil supplies, we could all be speaking Russian. Or German, had we (and loads of others) not opposed Hitler.

We know that, fairly often, acting turned out badly. We don't, and cannot, know if not acting would have turned out much worse. Oh, for a 100% reliable crystal ball.

[spacein_vader]

Unless memory fails me, some companies have access to anonymised data, for research purposes, unless the patient explicitly opted out, at which point the local GP/hospital should have added the "Read exclude" codes to the files that prevent the automatic "scraping" of data to the Spine. That was certainly how it was explained to me when I queried it with our practice manager, and unless a patient opted out before uploading, it was too late once uploaded. This was, oh, five to ten years ago.

Thing is, how difficult would it be to de-anonymise such data if they wanted to? Which is why I opted out. Once uploaded, and most definitely once passed to "research" companies, it was far too late to ask questions.

Unless I was told wrong?

That's mostly accurate, the bit that's not is once your data is uploaded that's it. You can change your mind at any point and if you opt-out now then that data is removed (it can take up to a week for that to filter through to all Trusts though,) although your GP and any secondary care facilities (i.e. hospitals,) you're currently being treated by will still keep a copy until/unless you're no longer treated there.

Even if you don't opt-out and are included in the upload to a company not all your info is in it. Your name isn't, your age is, but not DOB. Your approximate location (usually post sector which is first half of post code + first number of second half, but occasionally larger if not enough addresses are in that sector to maintain clear anonyminity,) but not full address.

Equally, the spine is not even close to your full record. It's your Summary Care Record (SCR). The spine definitely includes your current medications (if any,), allergies & reactions to previous medications and your name, DOB, address and NHS number. Even if you opt-out. This is considered the bare minimum information that the NHS may need to identify you and avoid potentially killing you via reactions/medication clashes in the event of an emergency. If you don't opt out it can include some/all of; significant medical history, reason for medication, anticipatory care information (such as information about the management of long term conditions), end of life care information (i.e. do you have a DNR or Power of attorney?) and immunisations.

You can submit a Subject Access Request to NHS Digital and they will show you a copy of the content and also the logs of which organisations have accessed it and when. You could then issue a follow up SAR to any or all organisations that had accessed it to find out why. https://digital.nhs.uk/services/summ...re-records-scr

The NHS does actually take this stuff very seriously, to the extent that to make it legal for NHS Trusts to share COVID data with each other/NHS England/Public Health England the Health Secretary had to issue a Control Of Patient Information (COPI) notice to do so and even then it expires after 6 months of issue. There is also a very high bar to meet for one of these notices to be issued which sadly COVID meets. If you want to read the notice and its FAQs it's here: https://www.nhsx.nhs.uk/covid-19-res...ked-questions/

A common misconception is that there is one NHS and it has one master copy of your whole medical history. There isn't and it doesn't. Your hospital knows everything about your treatment there, but nothing about your GPs records on you unless it asks and then the GP sends over only what they think is relevant. The reverse is true for the GP. The local mental health/community care Trust doesn't have the GP or hospital data either. The hospital you visit while on holiday knows nothing more than what's on the spine so will send requests to your GP/local hospital. Each one of those organisations has a Data Protection Officer who scrutinises new IT projects, sharing agreements with outside organisations (both public and private,) and investigates queries or complaints by patients independantly of senior management.

From what I hear they're all exceptionally scrupulous, dilligent, hard working and incredibly good looking.

EDIT: And underpaid.

[John_Amstrad]

Once again UK runs as a dog behind US craziness

[Tabbykatze]

Analysis of the source code by GCHQ tells us nothing. How do you think those firmware updates are going to be put onto the hardware? Huawei equipment and likely via a Huawei bootloader. In the field. So, you run an MD5 on the file before uploading it to verify it's the same software as checked and validated by GCHQ. They you use your Huawei equipment (I wonder how well secured that is on site) to upload it. If I can patch a back door or trojan into a file as it passes through from someone else's computer to another by being the MITM (in this case on the kit used to interface with the cell kit, the bootloader in the cell kit or some microcode which can't be verified after installation) then the Chinese government certainly can.

The networks that these network nodes are on are heavily locked down, when I was just doing an install into their staging network (my security clearance wasn't high enough for their actual network, needed DV for that), you had to access it via two secured hops through vpn point to point alongside a one time password MFA. That's because those networks for data plane cannot directly access the internet or be accessed easily or in some cases, at all!

So this then comes down to my big issue when I see people poopoo what has been looked into. This network equipment is generally in secured cabinets in quite well set up datacentres and there are many checks between the sourcing of any installation and actual installation. You think the checking just stops at analysis of the current running firmware, it's end to end checked and on the fly manipulation of an installer is incredibly difficult, especially if it is digitally signed. And to point out, there is very little that cannot be verified post installation.

The other major thing you're forgetting is a lot of these networks have network traffic analysis nodes constantly cataloguing and identifying what any of the network equipment is communicating to and the vast majority of these network devices aren't even capable of moving outside of their network let alone communicating with China or even a proxy to China.

Everything you have said is possible through extreme difficulty and would be discovered quite quickly if done on more than a couple of edge devices and is wholly possible on any piece of network equipment installed. The threat chain you have described is certainly doable on Samsung, Cisco, HP and on Extremes network equipment and a dedicated state wouldn't let a manufacturer stop them.

I don't deny that China has one of the highest state sponsored military/civilian cyber warfare programs next to Russia and USA, but look at it objectively: If Huawei (the largest high technology business in China) were to be compromised from the inside by the CCP and actual evidence were presented of this fact, then the CCP would be literally shooting all their high technology businesses in the back of the head.

It's better to compromise equipment not sourced from your own country because it's A) just as easy (just as easy does not make it any less hard) and B) absolves your countries businesses from "interference".

[Saracen999]

....

From what I hear they're all exceptionally scrupulous, dilligent, hard working and incredibly good looking.

EDIT: And underpaid.

I'd heard that too. I'm not entirely convinced of the objectivity of my source and, in line with good journalistic practice, require a verifiable and objective corroborative source before committing to it. And no, Mrs _Vader doesn't qualify .... even assuming she agrees.

I was, however, definitely told, in writing, that once data was uploaded it was outside my ability to affect it. Maybe it changed? Legal challenge to that? Maybe?

[spacein_vader]

I'd heard that too. I'm not entirely convinced of the objectivity of my source and, in line with good journalistic practice, require a verifiable and objective corroborative source before committing to it. And no, Mrs _Vader doesn't qualify .... even assuming she agrees.

I was, however, definitely told, in writing, that once data was uploaded it was outside my ability to affect it. Maybe it changed? Legal challenge to that? Maybe?

As I understand it, assuming you changed from "use my data" to "don't use my data" then your data is removed from all future datasets, projects and sharing. It will still be present in any projects etc that had been started while you were still involved.

Mrs Vader has reviewed the thread and stated she only believes the underpaid part.

[Saracen999]

As I understand it, assuming you changed from "use my data" to "don't use my data" then your data is removed from all future datasets, projects and sharing. It will still be present in any projects etc that had been started while you were still involved.

Mrs Vader has reviewed the thread and stated she only believes the underpaid part.

That's certainly not quite what I was told, unless we're miscommunicating.

I was told that if you changed GP preferences to "don't share" that it would certainly prevent further uuploads, but after a given date (years ago) you couldn't recall or restrict usage of what had already been uploaded.

That is to say, if you didn't stop it before it got uploaded from local GP records, you were permanently stuffed.

Note: I do accept your earlier point about summary records, for sure. Even at the point in time I'm talking about, some data subjects were excluded from uploads, including (IIRC) "sensitive" data like mental history, STDs, suicide attempts and I think (not sure though) drug abuse issues. I remember reading about those but as I had none, didn't pay full attention.

But if I get you correctly, you mean even once uploaded you can restrict future uses of that already-uploaded data, except in so far as it's already in use in specific projects???

If so, that's certainly a significant improvement over what I was told. My main reservation would still be about just how difficult it would be, in many cases, to de-anonymise anonymised data, if you process it in conjunction, for example, with other non-NHS datasets.

How much, for instance, could be de-anonymised if processed with commercial datasets, Google data, insurance company database records, etc.

If data is only supplied in aggregate form, and with limits on the level of granularity, then I neither had nor have a problem. But I do have issues with my medical records, even anonymised or pseudo-anonymised, being supplied to any firm of commercial company without my explicit case-by-case agreement. And as case by case permissions weren't on offer, for reasons of pacticality I have some sympathy with, the only viable option was to blanket block every form of upload that was within my ability to block.

Also, I see a significant difference between uploading data for use within the NHS to verify eligibility, for example, and transferring that data to private companies other than in aggregate form, for any purpose.

Also Note: I might well agree to even non-anonymised day being transferred for specific purposes, if asked. But blanket permission? Hell, no. Not ever.


Clarification: I'm not saying you're wrong, space in. Not at all. Just that it's not quite what I was told when I took this up at the time.

[half_empty_soul]

I fully support that desicion, 2 nation you should never trust they will play fair - China and Russia
we should to start to get back factories from China back on our land